ciphers.1s

openssl ciphers [options] [cipherlist]

-v
    verbose output with cipher details

-V
    more verbose with hex IDs and bits

-s
    print in SSL/TLS server/client preference order

-stdname
    use IANA standard cipher names

-list
    list ciphers only, no suites

-legacy
    enable legacy cipher suites

-tls1_3
    TLS 1.3 cipher suites only

-tls1_2
    TLS 1.2 cipher suites only

-help
    display help text

The ciphers command, part of the OpenSSL toolkit, displays available cipher suites for SSL/TLS protocols.

It converts human-readable cipher list strings into their internal OpenSSL representations, showing supported ciphers, protocols, key exchange, authentication, encryption, and MAC algorithms.

Without arguments, it outputs the default cipher list used by OpenSSL applications. Specifying a cipherlist tests custom configurations, crucial for securing servers like Apache, Nginx, or HAProxy.

Options enable verbose details, protocol filtering (e.g., TLS 1.3 only), and sorting by security preference. This aids in compliance with standards like PCI-DSS or FIPS, excluding weak ciphers (e.g., RC4, 3DES).

Output formats include OpenSSL-specific names or IANA standard names, helping debug connection issues or verify compatibility across clients/browsers.

Usage example: openssl ciphers -v 'HIGH:!aNULL:!MD5' lists secure ciphers without anonymous or MD5 authentication.

Cipher list syntax is OpenSSL-specific (e.g., 'HIGH:!MEDIUM'); deprecated ciphers may be removed in future versions. Run as 'openssl ciphers' subcommand.

HIGH: strong ciphers
DEFAULT:!eNULL:!aNULL: secure default without anonymous
TLS_AES_256_GCM_SHA384: specific TLS 1.3 suite

Columns: protocol, Kx=key exch, Au=auth, Enc=encryption, Mac=MAC, bits strength.
Example: TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD

Introduced in early OpenSSL versions (~0.9.7, 2002); expanded in 1.0.x for TLS 1.0/1.1 support, 1.1.1 for TLS 1.3 preview, and 3.0+ with security levels and provider model.

openssl(1ssl), s_client(1ssl), s_server(1ssl)